This is likely a simple one but what's the grok pattern for this? I have gone through all the ones I could find but I cant get a match for the format 03-MAR-21 00:40:2
Currently I am using a string but need to change it from a string to a time as its causing reporting issues
grok {
match => { "message" => [ "%{GREEDYDATA:timestamp}
}
date {
match => [ "timestamp", "dd-MMM-yy HH:mm:ss" ]
target => "@timestamp"
}
That appears to match the core TIMESTAMP_ISO8601 pattern, so you could use
grok { match => { "message" => "%{TIMESTAMP_ISO8601 :timestamp}" } }
I normally think of ISO8601 dates as having four digit years, but the pattern works with two as well.
Thanks for the response.
I tried that but I get "_grokparsefailure". If I try "%{TIMESTAMP_ISO8601:timestamp}" on the grok debugger tool it fails as well.
Sorry, if the month abbreviation is all upper case you will need a custom pattern
grok {
pattern_definitions => {
"CUSTOMMONTH" => "(JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)"
"CUSTOMTIMESTAMP" => "%{YEAR}-%{CUSTOMMONTH}-%{MONTHDAY} %{TIME}"
}
match => { "message" => "%{CUSTOMTIMESTAMP:timestamp}" }
}This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.